Be afraid: Die Hard 4 reveals a real threat

David Braue

Diligence and gritty determination may have helped Eugene Kaspersky become one of the software world's most successful entrepreneurs, but there's one thing the antivirus king can't bear: Die Hard 4.0.

"I watched the movie for 20 minutes, then pressed pause, got a cigarette and a glass of Scotch. To me it was really scary: they were talking about real scenarios. It was like a user guide for cyber terrorists. I hated that movie," the flamboyant Russian entrepreneur says.

The popular 2007 action film pits Bruce Willis' character, John McClane, against a domestic terrorist who's bent on launching a large-scale cyber attack that would disable financial markets, traffic lights, and other computer-controlled infrastructure across the United States.

For most viewers, it was nothing more than a fast-paced popcorn flick combining macho bravura with implausible technobabble. For Kaspersky it represented the popularisation of a relatively new mode of cyber attack that has now emerged as a real threat.

Related Content

"We came to the [potential] of cyber terrorist attacks years before Die Hard 4.0," explains Kaspersky, the co-founder and chief executive of security firm Kaspersky Labs. "But it was forbidden in my company to explain it to journalists, because I didn't want to open Pandora's Box. I didn't want to let people think that my business is the business of fear. And I didn't want the bad guys to learn from these ideas."

His "silence" wasn't enough: as at least one high-profile hacking attack has recently shown, industrial control systems – and, in particular, SCADA (Supervisory Control and Data Acquisition) systems used to monitor and manage physical plant processes - can be a target of interest for a number of attackers, from hackers to military operations.

Advertisement

Because of their mission-critical nature, SCADA systems traditionally run on separate data networks with no internet or intranet connectivity. However, some have been brought online, to enable remote access and control.

Their security environments are often managed separately to those of the general enterprise, and they often run on different operating systems that aren't updated as often as enterprise software, leading some experts to believe SCADA systems present potential holes in the cyber defences of critical infrastructure operations.

The threat became clear in mid 2010 as the notorious Stuxnet worm spread across Windows desktops inside Iran's nuclear facilities, until it found systems running Step-7. The software application from German giant Siemens manages SCADA programmable logic controllers (PLCs) that control industrial process lines. It is believed Stuxnet then grant itself root access and reconfigured SCADA systems that met certain specific criteria.

An incident in 2000 brought SCADA sabotage to our shores as Queensland-based former Maroochy Shire Council (now Sunshine Coast Council) was forced to deal with attacks from disgruntled SCADA contractor Vitek Boden, whose work with a laptop and radio transmitter flooded parks, rivers, and a local hotel with 800,000 litres of raw sewage.

"The threat from hackers is real," he explains, arguing that infrastructure authorities should build security controls at every level of the infrastructure to limit their exposure to major attacks.

"Catastrophic failure is one end of the scale, and is the type of thing that fail-safe [measures] and monitoring would mitigate. The idea of security is that it is not added on after everything else is done; it should be part of the overall design and development," Holder says.

"There has been a limited focus on security when it comes to control systems. Some of the control systems in place today are very old, and were installed long before security was an issue. In a perfect world with unlimited time and budgets it would be great to start again, but the reality is that a lot of money has been invested in control systems that can't just be thrown away."

Kaspersky is one of a large chorus of voices arguing for infrastructure operators to tighten SCADA security as a matter of priority – but even he admits that the high cost and long timeframe for replacing systems makes it unlikely much will change in the short term.

Holder agrees: "There is no reason to throw out perfectly good control system infrastructure if it can be made secure," he says. "The real key is whether the equipment can be brought up to standard."

Ongoing delays could leave any infrastructure operator exposed – with disastrous side effects if state-sponsored cyber attacks lead to all out cyberwar. Some consider Stuxnet to be the first volley in a new kind of economic and political conflict.

Many governments have moved to contain the possibility of unchecked cyber warfare, with the US and China recently running 'war games' testing cyber attacks.

Far from the rarefied heights of international cyber warfare, however, Kaspersky warns that companies can't be complacent when it comes to cyber-security. While new tools are constantly being developed and improved in an effort to keep up with often bloody-minded hackers, he believes companies need to make security an endemic part of their culture.

This includes everything from reworking long-unimproved administrative systems, to forcing senior business managers to undergo formal security training and certification. "These targeted attacks just started to happen on a regular basis in the last two years," he says. "Some of these incidents smell so high-level that I'm sure the bad guys were testing them before they attacked."

"Companies are becoming aware of this," he adds, "but it can take years to develop a new design. In the meantime, they should consider disconnecting some parts of the IT from the network; introducing military security standards to the enterprise environment; and making top managers pass security training. There is no 100 per cent security."